Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Published byClara Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft."— Presentation transcript:

1 Jonas Thomsen, Ph.d. student Computer Science University of Aarhus jonas.thomsen@daimi.au.dk Best Practices and Techniques for Building Secure Microsoft ® ASP.NET Applications

2 What We Will Cover Why Web application security? Why Web application security? Planning for Web application security Planning for Web application security Authentication and authorization strategies Authentication and authorization strategies Using the ASP.NET process identity Using the ASP.NET process identity Secure communication Secure communication Securing secrets and state information Securing secrets and state information

3 So Why This Presentation? Web application security is more important than ever Web application security is more important than ever Ensure that security is a consideration in application design Ensure that security is a consideration in application design Creating secure Web applications is a series of complex tasks Creating secure Web applications is a series of complex tasks Promote best techniques for security Promote best techniques for security Let developers know about new resources available Let developers know about new resources available  msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp

4 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation

5 Planning for ASP.NET Web Application Security Authentication and Authorization Authentication / authorization request flow Authentication / authorization request flow

6 Planning for ASP.NET Web Application Security Authentication and Authorization Identify resources exposed to client Identify resources exposed to client Identify resource for application Identify resource for application Choose authorization strategy Choose authorization strategy  Role-based  Resource-based

7 Planning for ASP.NET Web Application Security Authentication and Authorization Choose Identities Used to Access Resources Choose Identities Used to Access Resources  ASP.NET process identity (default)  Custom identity  Original caller  Fixed identity Decide on identity flow Decide on identity flow  To the application  To the operating system

8 Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Choosing an authentication approach  Internet scenarios Start Users don’t have Windows accounts or certificates Interactive Web app? Web app? Use GXA WS- SecurityAuthentication Use Passport or FormsAuthentication No – Web Service Yes

9 Planning for ASP.NET Web Application Security Authentication and Authorization Choosing an authentication approach Choosing an authentication approach

10 Planning for ASP.NET Web Application Security Secure Communication Strategies From client to Web server From client to Web server From Web server to database and application servers From Web server to database and application servers

11 Planning for ASP.NET Web Application Security Threat Modeling An iterative process An iterative process

12 Planning for ASP.NET Web Application Security Specific Threats Common attacks against Web applications Common attacks against Web applications

13 Planning for ASP.NET Web Application Security Specific Threats SQL injection attacks SQL injection attacks  Alters existing query or creates new query  SOL: Use stored procedures with parameters Cross-site scripting Cross-site scripting  Malicious script sent to application as input  Frequently part of cookie replay attacks  SOL: Server-side input validation  SOL: Encode all output that includes input Buffer overflows Buffer overflows  Unmanaged code can cause arbitrary code  SOL: Server-side input validation

14 Example: SQL injection SqlCommand cmd = new SqlCommand( "SELECT * FROM users WHERE username = '" + suppliedUserName + "';", conn);  Set: suppliedUserName = "' OR true '" SqlCommand cmd = new SqlCommand("LookupUser", conn); cmd.CommandType = CommandType.StoredProcedure; SqlParameter sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar, 255); sqlParam.Value = suppliedUserName; 

15 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Securing secrets Securing secrets Using the ASP.NET process identity Using the ASP.NET process identity Impersonation Impersonation

16 Configuring Security IIS to Secure Communication

17 Configuring Web Application Security Configure IIS Settings Optionally install a Web server certificate for SSL Optionally install a Web server certificate for SSL Configure IIS authentication Configure IIS authentication Optionally configure client certificate mapping Optionally configure client certificate mapping Set NTFS permissions on files and folders Set NTFS permissions on files and folders

18 Configuring Web Application Security ASP.NET Settings in Web.config Configure authentication mode Configure authentication mode Configure impersonation Configure impersonation Configure authorization Configure authorization<authorization> </authorization>

19 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation

20 Storing Secrets Secret Examples Database connection strings Database connection strings Credentials for SQL roles Credentials for SQL roles Fixed identities in Web.config Fixed identities in Web.config Process identity in Machine.config Process identity in Machine.config Keys used to store data securely Keys used to store data securely SQL Server session state SQL Server session state Passwords used for forms authentication against a database Passwords used for forms authentication against a database

21 Storing Secrets Storage Methods and Tips Install Web application directories on a separate logical volume from the OS Install Web application directories on a separate logical volume from the OS Secret storage methods for ASP.NET apps Data Protection API (DPAPI) Data Protection API (DPAPI) COM+ constructor strings COM+ constructor strings.NET cryptography classes.NET cryptography classes CAPICOM CAPICOM Crypto API Crypto API

22 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation

23 ASP.NET Process Identity Guidelines Configured in element Configured in element Always run ASP.NET as a least- privileged account Always run ASP.NET as a least- privileged account Never run ASP.NET as SYSTEM Never run ASP.NET as SYSTEM Using the default ASPNET account to access remote resources Using the default ASPNET account to access remote resources  Create duplicate accounts on remote computers  Use a least-privileged domain account

24 Agenda Planning for ASP.NET application security Planning for ASP.NET application security Configuring security Configuring security Securing secrets Securing secrets ASP.NET process identity ASP.NET process identity Impersonation Impersonation

25 Impersonation Flowing Client Identity Inherent performance issues Inherent performance issues Consider instead: Consider instead:  URL or file authorization with role-based checks  Efficient management of gatekeepers and trust boundaries

26 Impersonation Flowing Client Identity Four reasons to use impersonation Four reasons to use impersonation  Audit on the OS level  Flow original caller to access resources  Use a fixed identity  Save default behavior of a ported classic ASP application For local resources For local resources  Create ACE with read access for user  Better to avoid impersonation and use URL or File authorization with role-based checks For remote resources For remote resources  Must use basic, forms or Kerberos authentication Threading consideration Threading consideration  Child threads inherit the ASP.NET process account’s security context

27 Session Summary Planning for security is part of designing a Web application Planning for security is part of designing a Web application Threat modeling can help your team focus resources on security Threat modeling can help your team focus resources on security Creating a secure Web application is demanding—Microsoft and others provides resources to help you Creating a secure Web application is demanding—Microsoft and others provides resources to help you Wrong security is worse than no security! Wrong security is worse than no security!

28 For More Information… ASP.NET Web site ASP.NET Web site  www.asp.net TechNet Security home page TechNet Security home page  www.microsoft.com/technet/security Microsoft Security and Privacy home page Microsoft Security and Privacy home page  www.microsoft.com/security/

29 For More Information… Improving Web Application Security: Threats and Countermeasures Improving Web Application Security: Threats and Countermeasures  msdn.microsoft.com/library/en- us/dnnetsec/html/ThreatCounter.asp Building Secure ASP.NET Applications Building Secure ASP.NET Applications  msdn.microsoft.com/library/en- us/dnnetsec/html/secnetlpMSDN.asp

Download ppt "Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
ASP.NET Security Part 1 Dave Glover

ASP.NET Security Part 1 Dave Glover
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Similar presentations

Ads by Google